Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Transcription

1 Controlled Unclassified Information (CUI) and FISMA: an update May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

2 What is FISMA? Federal Information Security Modernization Act Defines how Federal information systems should be secured National Institutes of Standards and Technology (NIST) define the guidelines

3 FISMA vs. NIST FISMA gives the National Institutes of Standards and Technology (NIST) statutory responsibilities to establish nonproduct specific guidelines and standards to ensure a reasonable level of security in government systems The term FISMA compliance is often used to describe the process organizations go through to implement the NIST standards and guidelines

4 NIST Publications NIST publishes guidelines NIST SP : Federal systems NIST SP : Non-Federal systems These documents reference other NIST publications including Federal Information Processing Standards (FIPS)

5 NIST SP Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations Key document outlines measures to protect data and systems

6 CIA Confidentiality Data/system is protected Integrity Data/system is not altered Availability Data/systems can be accessed for business

7 Security Requirement Families Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment System and Communications Protection System and Information Integrity

8 Example Controls Access Control , Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. Awareness and Training 3.2.3, Provide security awareness training on recognizing and reporting potential indicators of insider threat. Audit and Accountability 3.3.2, Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Incident Response 3.6.1, Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

9 Example Controls Media Protection: 3.8.1, Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital , Sanitize or destroy information system media containing CUI before disposal or release for reuse. System and Information Integrity: , Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks , Identify unauthorized use of the information system.

10 Controlled Unclassified Information An open and uniform program to manage all unclassified information within the executive branch that requires safeguarding and dissemination controls as required by law, regulation, and Government-wide policy

11 Controlled Unclassified Information 32 CFR 2002 Effective 11/14/2016 Establishes policy for designating, handling, and decontrolling information that qualifies as CUI Goal to standardize how CUI is managed

12 Controlled Unclassified Information 32 CFR 2002 Effective 11/14/2016 Describes, defines, and provides guidance on the minimum protections for CUI Physical and Electronic Environments Destruction Marking Sharing Emphasizes unique protections described in law, regulation, and/or Government-wide policies (authorities) These protections must continue as described in the underlying authorities.

13 Controlled Unclassified Information Two types of CUI CUI Specified: subset of CUI where there are governing laws requiring specific controls to manage (e.g. ITAR; HIPAA) CUI Basic: subset of CUI that is not Specified

14 Protecting CUI: summary Establish controlled environments Reasonably ensure unauthorized access does not occur Keep CUI under authorized control Protect confidentiality

15 Protecting CUI: summary Since we are (typically) not running a system for an agency CONFIDENTIALITY is the concern Integrity and Availability do not matter Unless it matters to you! Confidentiality protections must be at the MODERATE level

16 Protecting CUI: summary Security requirements obtained from NIST SP Requirements tailored to streamline and remove controls that are (SP ): 1. Uniquely Federal 2. Not protecting CUI Confidentiality 3. Routinely satisfied

17 Protecting CUI: summary CUI Basic: Confidentiality Moderate CUI Specified: may require Confidentiality, Integrity, Availability to be Moderate (or higher) Controls are the BASELINE

18 Current Activities Federal Government still working on implementing the full CUI program FAR Basic Safeguarding of Covered Contractor Information Inconsistencies within and among Federal agencies FAR clause still under development FDP institutions provided feedback to National Archives

19 University of Florida

20 UF Background: Major Milestones 2015 $40 million data analytics contract requires FISMA moderate UF Research Shield goes live July 1, compliant with NIST moderate DFAR starts to require NIST UF Restricted Data Work Group formed to handle strategy and governance UF Research Vault fit/gap for requirements Understanding 32 CFR 2002, what is CUI? 2017 Refine annual assessment process for UF Research Shied Continue to address gaps for UF Research Vault $4.6 million contract requires FISMA moderate for animal study

21 UF IT Solutions one size does not fit all Solutions Pros Cons Research Shield: compliant solution for research projects with complex collaborations and data processing -Pre-assessed environment speeds up review/onboarding -Low cost to researcher due to institutional subsidy -Available now for projects with single user and software only -Onboarding can take 1 4 months depending on complexity Research Vault: compliant solution for research projects that only need to work with software/data storage/data processing Pre-Built Computer Images: install pre-built configuration in a secure network environment Custom built computing environment -Pre-assessed environment speeds up review/onboarding -Low cost due to researcher due to institutional subsidy -Available now for projects with single user and software only -Pre-assessed environment speeds up review/onboarding -Low cost, about the price of a new computer/laptop -Supports all special requirements, external devices -Linux and windows are supported -Local IT installs images and supports the machine -Custom build supports all special requirements, external devices, etc -Local IT maintain and control the environment -External devices or equipment cannot be used with ResVault -Complex collaborations or shared databases not supported until fall Pre-Built images and secure network not available until summer Requires full risk assessment, approx. 1 6 months -High cost since building from scratch

22 The challenge continues IT solutions one size does not fit all, how do you build a compliant environment that scales to the majority of needs? Inconsistencies with contract terms and conditions if you try to push back, but no luck, what then? Federal rules and IT standards are constantly evolving, how do you develop local strategy, process and policy that withstands the regulation moving target?

23 University of California - Irvine

24 UCI: The Long Road Late 2000s NIH National Children s Study requires FISMA moderate (2007) Secure environment provided by NIH NIH Spinal Cord Injury Replication Animal Study requires FISMA moderate (2009) Consulting company procured to build secure data center 2014 Data Use Agreements require various information security plans and/or certifications Formation of UCI Research CyberInfrastructure (RCI) Standing subcommittee reinstated What is CUI? What about student data?

25 UCI s Approach to FISMA Contract and Grant Officers review Requests for Proposals, Contract Terms, and Data Use Agreement to identify FISMA requirements Information Security Officer(s) ( ISO ) are notified to assist with assessment of requirements and next steps C&G Officer works with the appropriate ISO and PI to negotiate the appropriate classification level ISO prepares the project specific addendum to the FISMA Core Security Plan for submission to Agency by C&G Officer ISO interacts with Agency ISO and Contracting Officer to finalize the plan as appropriate

26 UCI: Compliant Environments Considerations Centralized vs. De-centralized Cost Buy-in Options Cloud-based solutions Local enclaves Hybrid solutions

27 UCI: Challenges IT solutions how do you design scalable options to fit researchers needs? Getting everyone (Sponsored Projects, IT, PIs) in the same room and on the same page

28 Institutional Perspectives Contract/Agreement Negotiations Institutional Buy In & Support Architecture & IT Implementation Policy Development Other Organizational Strategies/Risk Determination

29 Contact Information Mark Sweet, era Steering Committee Co-Chair; Stephanie Gray, University of Florida; Alicia Turner, University of Florida; Nancy Lewis, University of California Irvine; Grace Park, University of California Irvine;